All Intel processors and the associated chipsets contain a so-called Management Engine (ME), which Intel now calls Converged Security and Management Engine (CSME). The latest version, CSME 15.0, made its debut in the current “Tiger Lake” mobile processors of the eleventh Core-i generation.
In the 30-page “CSME Security Whitepaper“Intel now explains many functions of the CSME as well as the innovations of version 15.0, which among other things improves protection against attacks and manipulation. According to this, some security algorithms have been strengthened to make decryption with future quantum computers more difficult (Post-Quantum Cryptography, PQC) affects AES (now 256-bit), RSA keys (3072-bit), elliptic-curve cryptography (ECC-384) and SHA-2 digests (also 384-bit)
ODCA instead of EPID
Intel has also built in new functions to be able to react reliably with firmware updates in the event of an attack on essential cryptographic signatures and certificates. This is one of the reasons why Intel is replacing the Enhanced Privacy ID (EPID) previously used in the CSME with an On-Die Certificate Authority (ODCA). With the help of the ODCA, the CSME can generate new security certificates for internal firmware functions after a firmware update without establishing a server connection.
CSME 15.0 is also the basis of the Control-Flow Enforcement Technology (CET) introduced with Tiger Lake to protect against attacks with Return-Oriented Programming (ROP) by Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). The CSME also manages the keys for Total Memory Encryption (TME).
With CSME 15.0, Intel is separating different internal CSME functions from each other even more in order to limit the effects of a successful attack on one of these functions. As usual, according to its own information, Intel tries to keep the code size of the basic security functions (Trusted Computing Base, TCB) as small as possible in order to reduce the probability of errors (minimum TCB). The CSME uses the Minix operating system with microkernel architecture.